Wednesday, June 6, 2012

The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for. Anyway, someone asked me if it was possible to download a file (specifically a pre-generated exe) over WebDAV. I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist.

So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).

The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.

msf exploit(webdav_file_server) > show options
Module options (exploit/windows/dev/webdav_file_server):
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS txt yes The list of extensions to generate
LOCALEXE false yes Use a local exe instead of generating one based on payload options
LOCALFILE myexe.exe yes The filename to serve up
LOCALROOT /tmp/ yes The local file path
SHARENAME documents yes The name of the top-level share.
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The daemon port to listen on (do not change)
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / yes The URI to use (do not change).
Exploit target:
Id Name
-- ----
0 Automatic